linux-stable.git/security/apparmor/include/file.h, branch linux-4.15.y

apparmor: Refactor to remove bprm_secureexec hook

2017-08-01T19:03:06+00:00

The AppArmor bprm_secureexec hook can be merged with the bprm_set_creds
hook since it's dealing with the same information, and all of the details
are finalized during the first call to the bprm_set_creds hook via
prepare_binprm() (subsequent calls due to binfmt_script, etc, are ignored
via bprm->called_set_creds).

Here, all the comments describe how secureexec is actually calculated
during bprm_set_creds, so this actually does it, drops the bprm flag that
was being used internally by AppArmor, and drops the bprm_secureexec hook.

Signed-off-by: Kees Cook 
Acked-by: John Johansen 
Reviewed-by: James Morris 
Acked-by: Serge Hallyn

apparmor: move path_link mediation to using labels

2017-06-11T00:11:44+00:00

Signed-off-by: John Johansen

apparmor: refactor path name lookup and permission checks around labels

2017-06-11T00:11:43+00:00

Signed-off-by: John Johansen

apparmor: update aa_audit_file() to use labels

2017-06-11T00:11:43+00:00

Signed-off-by: John Johansen

apparmor: move aa_file_perm() to use labels

2017-06-11T00:11:42+00:00

Signed-off-by: John Johansen

apparmor: revalidate files during exec

2017-06-11T00:11:37+00:00

Instead of running file revalidation lazily when read/write are called
copy selinux and revalidate the file table on exec. This avoids
extra mediation overhead in read/write and also prevents file handles
being passed through to a grand child unchecked.

Signed-off-by: John Johansen

apparmor: cleanup rename XXX_file_context() to XXX_file_ctx()

2017-06-11T00:11:37+00:00

Signed-off-by: John Johansen

apparmor: switch from file_perms to aa_perms

2017-06-11T00:11:30+00:00

Signed-off-by: John Johansen

apparmor: rework perm mapping to a slightly broader set

2017-06-09T12:59:22+00:00

Signed-off-by: John Johansen

apparmor: move permissions into their own file to be more easily shared

2017-06-08T19:51:53+00:00

Signed-off-by: John Johansen